Privacy, Security and Data Protection - Health Sciences

We help clients develop privacy, security and data protection policies and practices tailored to their businesses. We advise on implementation and enforcement of privacy and security policies in transactions and agreements with vendors, business partners and others. We help clients protect against and respond to security and privacy breaches.

Pepper lawyers also identify and address privacy, security and data protection issues in mergers, acquisitions and other corporate transactions, including those with the U.S. government. We help clients navigate complex issues regarding e-discovery issues and employee surveillance in the workplace. As businesses increasingly move into online and digitized markets, we counsel them about new and continuing online privacy, security and consumer protection issues and litigate related compliance issues.

Representative engagements include:

Effective Procedures and Policies

  • providing best practices and standard operating procedures to assure compliance with laws, rules and regulations
  • advising global businesses on Privacy Policies and Terms of Use based on their anticipated uses and disclosures of the data collected
  • creating corporate policies for voice mail, e-mail, social media and internet use by employees, and security measures for third-party providers
  • counseling regarding employee privacy issues, including searches of employee property and drug and alcohol testing; and advising clients regarding employee nondisclosure obligations for confidential and proprietary information
  • counseling clients on securing, maintaining and enforcing cyber insurance policies
  • developing and implementing permissible online marketing practices and advising on anti-spam legislation
  • advising health care institutions on the development and implementation of an information security program, including an effective customer response in the event of a security breach
  • conducting comprehensive privacy, security and data protection audits.

Litigation and Regulatory Issues

Assist clients with breach responses, investigations and audits including:

  • assisting a large medical center in a  breach response related to the improper disclosure of almost 1 million patient records
  • representing a publicly traded health care provider against claims of negligence, breach of fiduciary duty and violation of state law arising from the loss of a laptop
  • representation of Johns Hopkins Hospital and related entities in a widely publicized putative class action alleging surreptitious photographing of patients and alleged dissemination in addition to boundary violations by an obstetrician/gynecologist
  • providing regulatory and transactional guidance in the use of mobile devices, social media and e-commerce to improve outcome in health care
  • counseling on the application of regulations in the health care and life sciences area including HIPAA, FTC, FCC and FDA and global cross border data transfer
  • responding to government and third-party requests for information
  • managing liability and defending litigation related to breach of security or privacy of personally identifiable information
  • taking action, whether by way of suit or pursuit of administrative remedies, to stop and rectify breaches once they occur.


  • assessing, designing and implementing more than 250 national and international information security and privacy compliance programs for health sciences and other clients
  • advising on industry-specific privacy and security laws and regulations and assisting with investigations and reporting obligations to industry regulators
  • counseling major global companies at the moment of the breach crisis in responding to security incidents
  • advising companies on positioning a breach event in the best light to avoid litigation and reputational damage
  • assisting a major pharmacy company with its reporting and monitoring obligations to comply with a FTC consent order and compliance plan including monitoring privacy and security certifications of third parties
  • creating compliance systems for government contractors
  • counseling clients on the implications of state, federal and international laws and regulations, including California and other U.S. states, Canada, Asia, European Union and other foreign countries
  • advising clients on de-identifying data.

Business Transactions

  • representing companies in the health care industry in the licensing of information technology, data and medical devices
  • assisting a large multi-media company in launching a connected health platform
  • providing privacy, security and data protection advice relating to offshore processes in structuring outsourcing transactions (some exceeding $1 billion) to transfer all information technology to major outsourcing vendors and developing service levels to facilitate optimum performance
  • structuring e-commerce arrangements, including Web development and hosting agreements, electronic marketplaces’ Privacy Policies and Terms of Use, and EDI, including regulatory advice in privacy, security, CAN-SPAM and state, federal and international legislation
  • helping clients resolve ownership of data and databases, including advanced data analytics and data mining tools
  • identifying and addressing privacy, security and data protection issues in mergers, acquisitions and other corporate transactions
  • negotiating and managing the execution of offshore outsourcing to comply with U.S. and foreign regulations, including data protection
  • counseling both sides of a transaction about data transfers and data governance.

Data protection laws have changed, so we have revised our Privacy Policy.